Hijacked DNS Servers – Pointing to Ukraine

My parents have been having an issue with the internet at their place for a while now. I’ve just had a chance to look at it and it is quite suspicious.

Randomly when a Google search was performed, when you clicked the links you would be redirected to sites that you were not expecting, primarily parked domains much like this one:

Jupk.com is one of the domains they were being redirected to.

Other times, you would just be redirected to a parked page whenever you manually entered an address, again completely at random.

None of this made a lot of sense to me. While I have been visiting though, they have also started having websites load up some code on top of the original website that presented what appeared to be a Windows Vista/Windows 7 dialogue box:

Malicious code injected into websites at random in Firefox.

This didn’t fool anyone here since every computer here is a Mac except for some of my brothers, and he only uses the Windows computers for games anyway, not for browsing.

In the above screenshot, I was using Firefox, however it seems to come up in any browser, as per the below screenshot where I was using Chrome:

Malicious code injected into websites at random in Google Chrome.

As you can see, it’s the same box and it greys out the website itself, very cleverly mimicking the behaviour of the security dialogues in Windows Vista and Windows 7.

The dialogue itself reads:

Windows Internet Security

Your browser is run in unsafe mode. Running the protection mode will help you to keep your computer safe. Staying at the suspicious website in unsafe mode may lead to the loss of personal data and computer breakage. To run the web browser in protected mode Windows requires installing the certified antivirus scanner software and online protection tool.

Name: Online Protection toolPublisher: Microsoft Windows

Always trust this website

Allow – Don’t Allow

There is some suspect grammar in there, but otherwise, on a Windows Vista or Windows 7 machine, it would fit right in. Simply refreshing the website would get rid of it, it seems to be random as to when it loads or not, as you can see it’s come up on some quite reputable websites in the above screenshots, including the TPG website.

The thing that really got me is that while this is obviously some JavaScript that’s been stuck over the website that is designed to come up once the site finishes loading, it completely bypassed the built-in security of Firefox and Chrome. Both these browsers bring up warnings when you attempt to access known malicious sites, or when they detect malicious code and the like. I don’t know exactly how or what they do, but they do it, and this bypasses that and most likely also bypasses the built-in security of Internet Explorer, Safari and Opera as well. It makes sense though, those addresses are not known malicious sites.

I made the assumption once I realised it was happening on both browsers and after it happened on the TPG website, that something was injecting code between the server and us. That means either something has been done to the router, or something suspicious is going on at TPG. Since I use TPG at my place and have not had this issue, it seemed unlikely that it would be TPG.

I had a look at the router and after some digging around I had a look at the DNS settings, to see where the router was sending our requests. The DNS should be set to automatic with TPG and with most other ISP’s as well, however, my parents DNS settings were not:

The Router DNS Configuration

As you can see, the DNS was set as:

Primary DNS server: 85.255.115.60Secondary DNS server: 85.255.112.106

This seemed odd to me as it was unlikely that anyone here would have changed them. You have to know what you are looking for, and what to put there. Otherwise your internet connection isn’t going to work correctly.

I did a search for these IP addresses on IP-Lookup and found that both of these addresses point to a server in Ukraine on the //ukrtelegroup.com.ua/ domain. Attempting to visit this domain returns a http page with “nothing” as the only contents of the body. A whois query on the IP address returned the following information:

So, the IP address appears to be owned by a company called Promnet Ltd. I just had a look at their website, //prom-net.com.ua/ and it appears that they are a hosting company that offers clients the ability to “Install any software or application, you want to use”.

Here the company it is registered to appears to be “Elade Standart Limited” for the administrative and technical contacts. After looking at the URL specified, this appears to be a domain name registration company which translated, is called “Allied Standard Limited”.

Something very suspicious is going on here, so I set the DNS back to automatic and rebooted the router. After this the internet immediately went back to normal.

I went back and did some searching afterwards to see what other people have said about it, because I was unsure how exactly it would have happened in the first place aside from the router being hacked.

According to this forum post on GeeksToGo, there was a worm going around called Pipas.A that changed the DNS settings on individual computers to those mentioned earlier.

A post on the BleepingComputer forum indicated a trojan that was going around that sounds very similar to Pipas.A that changed the DNS settings. There was indication from some users that it could affect some routers as well.

One of the most comprehensive sites was gabrielharrison.co.uk which has a list of known bad IP addresses related to this.

It seems to me unlikely that the router here was affected by one of the trojans, simply because if it were, after rebooting the router a few times. I would have expected the DNS settings to be changed back to the custom ones. However this has not been the case, they have stayed on automatic. It seems to me that the most likely cause was that they scanned a range of IP addresses and attempted to access each one.

When a router login screen appeared they could have attempted to crack the password, but more than likely would have just tried the default login details that are used for most routers, either admin/admin or admin/password.

All they would have to do then is change the DNS settings and reboot the router. It’s unlikely anyone would notice unless they were actively monitoring their traffic routing.

An important lesson from this, change your router password as soon as you set it up, do not leave it as the default settings. Anyone outside can access your router too if they have the correct IP address. It’s just a matter then of figuring out the username and password.

I don’t know if any other important information is harvested as well, such as passwords and personal information, but I think it is worth changing passwords if you have had this happen to you, especially important passwords like bank access and the like.